Review and unblock forms detected and blocked for potential phishing

Review and unblock forms detected and blocked for potential phishing

In Microsoft Forms, we enable automated machine reviews to proactively detect the malicious collection of sensitive data in forms and temporary block those forms from collecting responses. Learn more about Microsoft Forms and proactive phishing prevention.

If you're a global and/or security administrator, we send you daily notifications of any form created within your tenant that has been detected and blocked for potential phishing. Here's how to review each form and unblock it if you believe it serves no malicious intent.

  1. Log in to the Microsoft 365 admin center at admin.microsoft.com.

  2. Go to the Message Center and look for a notification with Prevent/Fix: Microsoft Forms Detected Potential Phishing in the title.

    Message in Microsoft 365 admin center about Microsoft Forms phishing detection

    This notification contains a daily summary of any and all blocked forms created in your tenant.

    Note: If you don't see this notification in the All active messages tab/view, you may find it in the Dismissed messages tab/view.

  3. Click on the Forms admin review URL link in the notification to review blocked forms.

    Pointing to Forms admin review URL hyperlink in Microsoft 365 admin center post about Microsoft Forms and phishing detection
  4. For each form you determine serves no malicious intent, click the Unblock button in the upper right corner of the page.

    Notes: 

    • If you believe a form has malicious intent, no further action from you is required. The form will stay blocked until the form owner removes the content flagged for the malicious collection of sensitive data.

    • If you prefer to edit and/or delete the blocked content, you can generate a co-authoring page and manage the form as a co-author. To do this, click on the open a co-authoring page link located in the messaging above the form you're reviewing.

    • Upon review, you may see a block for a form has already been lifted. This means that in between the time a form was blocked and the time you reviewed it, the creator of the form removed keywords that were flagged for potential phishing. In this scenario, no further action from you is required.

Tips: 

  • We strongly suggest immediate password reset for an account in your tenant that you believe has been compromised.

  • If someone in your tenant requests for you to unblock their form, we suggest you ask for specific form information (e.g. date and time of block, title) in order to more efficiently identify the notification in the admin center. Since notifications are sent on a daily basis and include all detected forms in the last 24 hours, identifiable information for the form will be helpful.

See Also

Microsoft Forms and proactive phishing prevention

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×